The vulnerability is a Cross‑Site Request Forgery flaw in the Custom 404 Pro plugin. An attacker can craft a request that is sent from a victim’s browser, potentially causing the plugin to execute privileged operations with the victim’s credentials. The primary impact is that an attacker can trigger unauthorized actions within the WordPress site using the victim’s authenticated session. This flaw maps to CWE‑352 because it involves accepting unexpected input without proper validation or user confirmation.

Affected systems include the Kunal Custom 404 Pro plugin for WordPress. Versions from the earliest available release up through 3.12.0 are vulnerable. The vulnerability is listed for all installations of this plugin that have not been updated beyond 3.12.0.

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The flaw is not currently in the CISA Known Exploit Vulnerabilities catalog. Because the CSRF flaw requires a victim to be authenticated to WordPress, an attacker’s success depends on obtaining a valid session cookie, either by luring a user to a malicious page or by compromising credentials. An attacker can bypass the plugin’s CSRF protections by submitting forged requests that the browser automatically includes the victim’s cookies with.